So that is what I have and what I've done... pretty much following the latest documentation and some tutorials I came across:
Install the cert-manager namespace:
kubectl create namespace cert-manager
Install cert-manager:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.13.0/cert-manager.yaml
Verify installation... should be three running Pods and there are:
kubectl get pods --namespace cert-manager
Run test to make sure it is able to issue certificate types... passes.
Make an issuer.yaml:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: 'my#email.com'
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
Make a certificate.yaml:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: examplewebsite-com-tls
spec:
secretName: examplewebsite-com
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
commonName: examplewebsite.com
dnsNames:
- test.examplewebsite.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- test.examplewebsite.com
Update ingress.yaml to reflect this:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/add-base-url: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$1
cert-manager.io/cluster-issuer: "letsencrypt-staging"
nginx.ingress.kubernetes.io/ssl-redirect: 'false'
name: ingress-service
namespace: default
spec:
tls:
- hosts:
- test.examplewebsite.com"
secretName: examplewebsite-com
rules:
- host: test.examplewebsite.com
http:
paths:
- path: /?(.*)
backend:
serviceName: client-cluster-ip-service
servicePort: 3000
- path: /api/?(.*)
backend:
serviceName: api-cluster-ip-service
servicePort: 5000
Apply all of these and run into the following issues.
$ kubectl describe certificate examplewebsite-com-tls
Status:
Conditions:
Last Transition Time: 2020-01-28T23:52:45Z
Message: Waiting for CertificateRequest "examplewebsite-com-tls-2527238951" to complete
Reason: InProgress
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Requested 117s cert-manager Created new CertificateRequest resource "examplewebsite-com-tls-2527238951"
And it just sits there indefinitely.
$ kubectl describe secret examplewebsite-com`
Type: kubernetes.io/tls
Data
====
ca.crt: 0 bytes
tls.crt: 0 bytes
tls.key: 1675 bytes
DNS is setup properly because I can navigate to the website and see the application, HTTPS:// just doesn't work.
What am I doing wrong here?
The certification.yaml is not necessary at all.
Really, only needed this after following the installation instructions:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <email>
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/add-base-url: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$1
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
name: ingress
namespace: default
spec:
tls:
- hosts:
- test.domain.com
secretName: test-domain-com
rules:
- host: test.domain.com
http:
paths:
- path: /?(.*)
backend:
serviceName: client-cluster-ip-service
servicePort: 3000
- path: /api/?(.*)
backend:
serviceName: api-cluster-ip-service
servicePort: 5000
Very well written and current (as of 1/30/20) tutorial here:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes
Related
I have tried using jetstack/cert-manager to secure my application launched on EKS but I still see a Not Secure I am not sure what i missed. Here is what i have done
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: something#gmail.com
privateKeySecretRef:
name: letsencrypt-production
solvers:
- http01:
ingress:
class: nginx
My manifest looks as follows
apiVersion: apps/v1
kind: Deployment
metadata:
name: wordpress
spec:
replicas: 1
selector:
matchLabels:
app: wordpress
template:
metadata:
labels:
app: wordpress
spec:
containers:
- name: wordpress
image: wordpress:latest
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: wordpress
spec:
selector:
app: wordpress
ports:
- protocol: TCP
port: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wordpress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wordpress
port:
number: 80
tls:
- hosts:
- mydomain.com
secretName: letsencrypt-production
When i do
kubectl describe certificate letsencrypt-production
I dont see anything under events like Issued or Requested
Status:
Conditions:
Last Transition Time: 2022-12-22T06:04:30Z
Message: Certificate is up to date and has not expired
Observed Generation: 1
Reason: Ready
Status: True
Type: Ready
Not After: 2023-03-21T11:04:22Z
Not Before: 2022-12-21T11:04:23Z
Renewal Time: 2023-02-19T11:04:22Z
Events: <none>
When i open my domain i see NET::ERR_CERT_AUTHORITY_INVALID
What did i miss any help ?
I can get it to work by creating a cluster-issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <my_email_id>
privateKeySecretRef:
name: letsencrypt-production
solvers:
- http01:
ingress:
class: nginx
creating an ingress resource as follows.
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wordpress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
rules:
- host: mydomain.com
http:
paths:
- backend:
service:
name: wordpress
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- mydomain.com
secretName: letsencrypt-production
Objects below, this worked fine getting a staging cert from Let's Encrypt, but now that I've cut over to prod it does not work and is hanging for >12hrs
The public IP is the correct one (I can navigate to it via https://website.gg and get the expected cert errors, same with ping etc.)
All subdomains are correctly routed to this same public/external IP
CertificateIssuer has been hanging for 12 hours and seems to have no chance to resolve.
Relevant objects:
Certificate:
apiVersion: cert-manager.io/v1alpha3
kind: Certificate
metadata:
creationTimestamp: "2022-01-21T06:01:42Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
name: mysecret-tls
namespace: mine
ownerReferences:
- apiVersion: extensions/v1beta1
blockOwnerDeletion: true
controller: true
kind: Ingress
name: mine-api-ingress
uid: fbbfdbac-5480-469e-8230-6d018d5ef151
resourceVersion: "11962900"
uid: 2710c043-7f95-4576-982f-03b702038105
spec:
dnsNames:
- website.gg
- '*.website.gg'
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: letsencrypt-prod
secretName: mysecret-tls
status:
conditions:
- lastTransitionTime: "2022-01-21T06:01:42Z"
message: Waiting for CertificateRequest "mysecret-tls-3406177836" to complete
reason: InProgress
status: "False"
type: Ready
ClusterIssuer:
apiVersion: cert-manager.io/v1alpha3
kind: ClusterIssuer
metadata:
annotations:
meta.helm.sh/release-name: mine-api
meta.helm.sh/release-namespace: default
creationTimestamp: "2022-01-17T03:43:44Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
name: letsencrypt-prod
resourceVersion: "10876278"
uid: 27b34bfe-16e7-4d51-9229-ad12abb52df6
spec:
acme:
email: myemail#email.com
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: nginx
status:
acme:
lastRegisteredEmail: myemail#email.com
uri: https://acme-v02.api.letsencrypt.org/acme/acct/367378310
conditions:
- lastTransitionTime: "2022-01-17T03:43:44Z"
message: The ACME account was registered with the ACME server
reason: ACMEAccountRegistered
status: "True"
type: Ready
CertificateRequest:
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: letsencrypt-prod
Status:
Conditions:
Last Transition Time: 2022-01-21T06:01:44Z
Message: Waiting on certificate issuance from order mine/mysecret-tls-3406177836-1310394537: "pending"
Reason: Pending
Status: False
Type: Ready
Events: <none>
Ingress:
...
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
...
spec:
rules:
- http:
paths:
- backend:
service:
name: mine-api-service
port:
number: 80
path: /api/(.*)
pathType: Prefix
- backend:
service:
name: mine-bot-service
port:
number: 80
path: /bot/(.*)
pathType: Prefix
- backend:
service:
name: mine-ui-service
port:
number: 80
path: /(.*)
pathType: Prefix
tls:
- hosts:
- website.gg
- '*.website.gg'
secretName: mysecret-tls
status:
loadBalancer:
ingress:
- hostname: a605c42f1adc44435bb1cab34ee9bf3a
ip: {my-public-ip}
I'm trying to deploy a simple Ingress service and works when is Ingress without the Secure function(tls), but when I include the cert tls it always returns me "backend - 404 error"
I already installed "cert manager", "ingress-nginx" and already checked if this install is ok
EDIT: I explained all the steps I'm doing
EDIT2: I updated the cert-manager's version to v1.5.4
these were the steps:
1.- install nginx controller for my ip
helm install bitnami/nginx-ingress-controller --set controller.service.loadBalancerIP="[MY-STATIC-IP]",rbac.create=true --generate-name
2.- Apply deployment and service (app.yaml)
apiVersion: apps/v1
kind: Deployment
metadata:
name: taxisbahiadeploy
labels:
type: endpoints-app
spec:
replicas: 1
selector:
matchLabels:
app: taxisbahiadeploy
template:
metadata:
labels:
app: taxisbahiadeploy
spec:
containers:
- name: taxisbahiadeploy
image: gcr.io/google-samples/hello-app:1.0
imagePullPolicy: Always
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: taxisbahia
spec:
ports:
- port: 8080
targetPort: 8080
selector:
app: taxisbahiadeploy
3.- Configure let's encrypt
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.crds.yaml
kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager \
--namespace cert-manager \
--version v1.5.4 \
jetstack/cert-manager
4- Apply the Issuer (issuer.yaml)
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: 'fco#ggggg.com'
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: 'fco#ggggg.com'
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
5.- Final Step, this is the Ingress where it fails (ingress-tls.yaml)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: esp-ingress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- domain.com
secretName: esp-tls
rules:
- host: domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: taxisbahia
port:
number: 8080
i think your TLS domain part should be something like check your host
spec:
tls:
- hosts:
- example.example.com
secretName: quickstart-example-tls
Reference : https://cert-manager.io/docs/tutorials/acme/ingress/
First of all make sure that you are actually visiting https://yourapp.com
Had the same issue but then I realized I was actually trying HTTP, which is no longer available after TLS is added.
I'm trying to run TLS certificate on Google Cloud Engine to enable HTTPS on my domain. For some reason after inspecting the certificate in google I see that this is not ready though.
Here's my certification object:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: admin-panel-com-tls
spec:
secretName: api-tls-crt-secret
issuerRef:
name: letsencrypt-prod-admin-panel
kind: ClusterIssuer
commonName: admin-panel.staging.test.com
dnsNames:
- admin-panel.staging.test.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- admin-panel.staging.test.com
And my cert issuer object:
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: 'test#email.com'
privateKeySecretRef:
name: letsencrypt-prod-admin-panel
http01: {}
My ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: admin-panel-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/use-regex: "true"
certmanager.k8s.io/cluster-issuer: letsencrypt-prod-admin-panel
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- admin-panel.staging.test.com
secretName: api-tls-crt-secret
rules:
- host: admin-panel.staging.test.com
http:
paths:
- path: /.*
backend:
serviceName: admin-panel-service
servicePort: 3000
- path: /api/.*
backend:
serviceName: admin-panel-server-service
servicePort: 3001
- path: /auth/.*
backend:
serviceName: admin-panel-server-service
servicePort: 3001
What am I missing here?
Also after putting my dns to ingress config I'm getting: default backend - 404
i have a big progres, now i'm generating the certificates with this ingress (using certmanager.k8s.io):
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
certmanager.k8s.io/acme-http01-edit-in-place: "true"
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
configuration.konghq.com: sample-kong-ingress
kubectl.kubernetes.io/last-applied-configuration: |
{"a big json"}
kubernetes.io/ingress.class: nginx
kubernetes.io/ingress.global-static-ip-name: name-public-ip
generation: 14
name: name-ingress
namespace: default
resourceVersion: "11158958"
selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/name-ingress
spec:
backend:
serviceName: kong-proxy
servicePort: 8080
tls:
- hosts:
- www.a.host.com
secretName: a-name-to-secret-tls
status:
loadBalancer:
ingress:
- ip: XX.XXX.XXX.XXX
but, now i'm getting this error:
Reason: ingress default/name-ingress uses unsupported LBType
LoadBalancer for cloud provider
Maybe someone who uses GKE has some idea?
Thanks for your time in advance.